How cyber-criminals are exploiting Latin America's new digital economy

This is a contributed article by Max Heinemeyer, Director of Threat Hunting, Darktrace

Over the past decade, Latin America has transitioned from a majority analogue region to a predominantly digital one. But as its companies and governments embrace internet technologies at a breakneck pace, cyber security concerns have frequently taken a back seat. The number of internet users in Mexico, for instance, has grown by a staggering 13.4% annually since 2006, compared to a 3.3% annual increase in the United States. At the same time, the US spent considerably more on security solutions than all of Latin America combined, a discrepancy that experts anticipate will only widen in the coming years.

This dangerous combination of burgeoning networks and relatively lax cyber defences has, unsurprisingly, attracted the attention of sophisticated online threat actors, who are now targeting the region with advanced attacks. This has accelerated in recent months, with the Latin America region bombarded with a range of threats, from stealthy trojans and silent PowerShell attacks to subtle cloud-based threats. Cyber-criminals are constantly innovating to compromise the personal information and intellectual property of the region's 630 million, increasingly digitised residents. Safeguarding them will require a new approach to digitisation — one that places cyber security at the very heart of the corporate network.

Polymorphic banking trojan

At a Latin American financial services company, a corporate desktop was seen downloading an EXE file from a rare external hostname. Following this download, the device generated multiple failed authentications with the credential "administrator" — an English word not frequently used in Spanish-speaking countries. The device then started sending rare EXE files with numeric names internally via SMB, before a few minutes later, multiple devices began beaconing to rare destinations never seen in the network before.

This type of activity is atypical for the company's unique users, devices, and network. A subsequent analysis revealed that it was a live copy of the polymorphic Emotet banking trojan. Whereas the Emotet trojan is notoriously difficult to spot, cybersecurity approaches based on AI are able to understand a company's normal activity, allowing them to recognize Emotet's key behaviours as abnormal.

PowerShell attack from rare location

Elsewhere in Latin America, a desktop was seen downloading a Python script from a rare location in Malaysia. Neither the desktop in question nor any other internal devices had ever connected to the external destination before, an early indicator of cyber-threat that signature-based security tools would have missed. The script was downloaded from a domain that included apparently legitimate strings like "windows", but which was in fact not associated with Microsoft or other legitimate organisations.

Following the download, the device initiated an HTTP connection with the external destination using PowerShell, whereupon multiple company devices started communicating with this rare destination. But while this type of disguised attack has become popular among threat actors as a result of its ability to bypass traditional detection systems, the ability to detect anomalous network activity can help Latin American companies mitigate these threats.

Compromised SaaS credentials

At an international financial services firm based in Latin America, a Microsoft Office 365 user account that regularly authenticates from known Latin American locations suddenly started exhibiting unusual activity — authenticating many times from a rare IP address in Asia-Pacific. This is another situation that could be flagged by systems capable of anomaly detection, since the business has few ties to the Asia-Pacific region. This early detection of anomalous credential behaviour revealed a breach in the use of the corporate SaaS service, a breach that could have escalated to compromise other Office 365 users had the firm not caught it in its nascent stage.

Digitising with diligence

In light of Latin America's rapid digitalisation and increasingly lucrative virtual assets, existing security vulnerabilities that were not significant several years — or even months — ago are now being exploited by cyber-criminals. Indeed, the high value of their potential compromises incentivises these criminals to create malware specifically tailored to Latin American targets, which promise to cause major disruptions, inflict significant financial and intellectual property losses, and entail incalculable reputational costs.

In this climate, it is imperative that companies and governments take a step back from their digital transformation projects to make cyber defence a core aspect of their organisation, rather than an afterthought. And only with AI-based defences at the centre of such projects can they durably shape the region's new economy.

Max Heinemeyer is a cyber security expert with over nine years' experience in the field, specialising in network monitoring and offensive security. At Darktrace, Heinemeyer works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements.